微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。4 T) n7 O: g% C6 p7 y2 S* m
3 n" p7 N* N& }0 F 7 T* e4 S- J6 v0 y
\api\StatusesApi.class.php* Q& n% y$ z3 T' Z
" l* {4 O6 U7 K7 i h4 U" O6 r8 N- ?function uploadpic(){
' I8 _# |3 c0 L% L+ z7 ?5 K if( $_FILES['pic'] ){
1 Q* x: f$ f+ D9 z //执行上传操作$ \* ^9 Q* y |
$savePath = $this->_getSaveTempPath();, F8 H6 F8 }8 q' p
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);7 s4 M; G, {4 q! ]
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))2 {) c4 S) A4 r/ t
{
( `( g* [( E/ ?5 K$ Q; f1 M9 m6 _ $result['boolen'] = 1;
0 {6 I+ a# ]' g! V) Z5 A/ z $result['type_data'] = 'temp/'.$filename;
- }3 r8 H) ^ o $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;3 ]( q& w/ m2 l' S# l/ ~4 I1 \
} else {
% S' L! g* _ y/ o4 }1 N- o8 G/ ? $result['boolen'] = 0;
) z% X: }( s" A. t5 E5 q9 L! S $result['message'] = '上传失败';
& Y) H& b! K8 Q' L# M$ N% Q }
/ U$ }& w" V. H- W }else{
% p, S& Y. d$ T5 T1 C- [9 G $result['boolen'] = 0;
% F5 E& h% `" r4 [/ Z# ^& l) o/ T1 u4 Y g $result['message'] = '上传失败';
% I3 _+ l/ V; k' b# F/ Z( ^ }
% b4 ]+ ? z9 h/ \$ z+ Mreturn $result;+ K" f, V( n. f; y* d( M6 b* I6 X) G9 e, X
}+ h* Z3 [* K( ?9 l: ]' ?: J
unloadpic()方法没有对文件类型进行验证5 V. W$ O* ]$ k- z7 s" F
: }. P0 W+ z# P) d6 ~$ t可以构建表单, 选择任意文件, 提交到( n4 I: q1 d: U. e" Q5 A+ a$ f; ^
/index.php?app=w3g&mod=Index&act=doPost
) u# M/ e! `1 p5 N' Z+ o 9 G1 X w. H$ f" i+ k3 G
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)" y( z. ]( M9 Q0 r7 @' S
1 q0 F: A- j5 V% }" T
! I8 I6 k+ x. @; X+ w, j
在登录thinksns官方微博后,& G5 x% l# s" ]% J0 U' M% U% C
构建以下表单:
, F) v- O1 c5 R u7 ~
! S2 j3 V" w4 |<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />8 A! e/ A' G& e+ I- e4 }% i
<textarea name="content">test</textarea>, o5 J/ [$ W5 P- k* L. H
file: <input id="file" type="file" name="pic" />
5 X* a" q$ Z5 B: ~3 w! A* M<input type="submit" value="Post" />
; O- B; o# L* l0 j) p; H</form>
% u) }6 V W5 {$ W0 o1 o去掉缩略图的前缀(small_ )
) |; U( Y. o5 V8 ]9 t# J修复方案:' l2 b( l s. E- [
9 _1 C8 W7 q) Y+ S) k7 J8 l
9 g0 {" G" p8 R% [ v; A\api\StatusesApi.class.php* I1 M6 l3 r- E( l0 {1 F/ ~9 X/ ~1 i
) H0 L, r9 S& L) o# C3 H& ^6 X; [function uploadpic(){
' P. e. |# z" O$ S /**& _- Z' }$ v$ [) z) H) r
* 20121018 @yelo
" N" F9 T3 D' }# G6 o * 增加上传类型验证2 a( |& w1 @! r# e v
*/% e1 G- Y/ Y' l- P d! }
$pathinfo = pathinfo($_FILES['pic']['name']);
$ P; d H5 w, v" J $ext = $pathinfo['extension'];
, S1 X# }+ ^1 | $allowExts = array('jpg', 'png', 'gif', 'jpeg');5 n7 T4 S9 g5 d4 u; J: q: F8 M
$ t+ m5 ~" ]3 ^4 ^
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);3 V5 i5 a+ U$ Z0 r. l! g& X
. a/ n6 B, ], h5 m$ j) e. H
if( $uploadCondition ){% }& M1 S# m; d/ y" K6 l: z3 n' G# l
//执行上传操作
4 H- Y6 Z+ _5 ^" C% E $savePath = $this->_getSaveTempPath();* J* F4 n. C( E F) a9 {* o
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
$ o- _$ ]( J7 F3 J if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)) d7 q( T! j3 r& S, g
{
) R) U r. D0 z. J! B; [) v; Y $result['boolen'] = 1;6 J" A) X3 ?5 I" u. B
$result['type_data'] = 'temp/'.$filename;. {; I8 I/ S v% A- @
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;4 E6 N& \+ }$ V8 E3 `/ ?* b3 ^
} else {* y- B! T4 z5 B; G( V
$result['boolen'] = 0;2 H+ l9 U5 J% ?, O! G( x+ [0 S, t
$result['message'] = '上传失败';
* z" B! c+ g. r: L( E- R& Z# [ }' `/ \! }4 Z" h" [* \
}else{
o- ~6 l- V, z $result['boolen'] = 0;
8 W7 M" p1 l' h# s $result['message'] = '上传失败';
: x9 B: q9 s. ], G5 V. W }* K, H6 h# o2 C% h7 b( s% N. d
return $result;
& s% k, _- ^( H0 b }
1 h4 Y7 W8 Y& }- U" Y G! E- ^
: d) D+ L1 @# l9 Q( E
\& b: m7 t, m3 U3 p |